The Sacramento Municipal Utility District (SMUD) is the sixth largest community-owned power company in the United States, servicing more than 600,000 customers in and around Sacramento. They have been recognized as an industry leader and award winner for their innovative energy efficiency programs, renewable power technologies and sustainable solutions for a healthier environment. SMUD is dedicated to staying at the forefront of green initiatives and is California’s first utility to receive over 20% of their energy from renewable resources. The organization breeds a culture committed to innovation and efficiency, so it’s no surprise their identity governance program is focused on just that.
While SMUD received recognition for their innovative business approach, their identity management lagged. User access and onboarding was managed manually, which was time-consuming and left room for error. With efficiency and innovation at the core of SMUD’s IT strategy, they knew investing in an identity program – one that offered visibility into their unstructured data – was necessary for the overall health of the company.
SMUD made the decision to invest in SailPoint IdentityIQ and set initial goals that included automating the management of roles, password management, access certifications and access requests. After implementation, the IT team saw an immediate improvement with the time it took to onboard and offboard employees, including visibility of who has access to applications used across the company.
John Peters, Senior Enterprise Infrastructure Specialist at SMUD who spearheaded the program, reflected on the ease of using the tool saying, “The flexibility of IdentityIQ is what makes it such a powerful tool, and something we haven’t had access to before.”
SMUD’s identity program has had several achievements over the past few years and is crucial to mitigating overall risk and remaining compliant under strict regulatory requirements in the industry. Under John’s guidance and with the help of SailPoint, SMUD has automated identity processes, reduced call center tickets with password self-service and increased adherence to regulatory standards.
But SMUD was just getting started with the power of identity.
After implementing IdentityIQ, an audit finding revealed overexposed file shares, which are files living on a shared site such as SharePoint or NetApp, that included sensitive information (for example, Social Security numbers, addresses, credit card information, etc). Based on SMUD’s early successes with IdentityIQ, they extended their identity governance program with IdentityIQ File Access Manager to address the concerns with unstructured data.
SMUD uses IdentityIQ File Access Manager’s permissions reporting to identify employees who have access to unstructured data files. IdentityIQ File Access Manager automatically collects and analyzes permissions across on-premises and cloud data repositories. IT departments can then easily visualize, manage and control how employees are granted access to data.
John said, “IdentityIQ File Access Manager is an incredibly powerful tool, and SMUD has seen a dramatic reduction in IT risk by securing our unstructured data and having visibility into where it resides.”
Using the data discovery and classification feature, SMUD uses IdentityIQ File Access Manager to search for sensitive data, allowing them to classify the data and put effective controls in place to manage and protect it. This capability is extremely helpful for validating compliance with PCI and looking for credit card information.
SMUD also monitors native changes in Active Directory to ensure no one is circumventing the IdentityIQ provisioning process. SMUD falls under North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) compliance regulations, which requires them to ensure no one is added to certain security groups without approval. If someone is added natively, IdentityIQ File Access Manager alerts the IAM team and automatically reverses the native change.
John was especially pleased with this functionality. “IdentityIQ File Access Manager enforces and monitors the policies set up within IdentityIQ,” he said. “We monitor access to applications very strictly, and using a tool that quickly reacts in a short amount of time and removes access given through an improper channel helps us sleep better at night.”